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Abstract 

The vast majority of today's critical infrastructure is supported by numerous feedback control loops 
and an attack on these control loops can have disastrous consequences. This is a major concern since 
modern control systems are becoming large and decentralized and thus more vulnerable to attacks. This 
paper is concerned with the estimation and control of linear systems when some of the sensors or 
actuators are corrupted by an attacker. 

In the first part we look at the estimation problem where we characterize the resilience of a system to 
attacks and study the possibility of increasing its resilience by a change of parameters. We then propose 
an efficient algorithm to estimate the state despite the attacks and we characterize its performance. Our 
approach is inspired from the areas of error-correction over the reals and compressed sensing. 

In the second part we consider the problem of designing output-feedback controllers that stabilize 
the system despite attacks. We show that a principle of separation between estimation and control holds 
and that the design of resilient output feedback controllers can be reduced to the design of resilient 
state estimators. 

I. Introduction 

Today's large-scale control systems are present everywhere in order to sustain the normal 
operation of many of the critical processes that we rely on. Example of such systems include 
chemical processes, the power grid, water distribution networks and many more. 

In a typical control system one can identify different components including the actuators, the 
sensors and the controllers. These different components need to communicate with each other: 
for example the sensors communicate their measurements to the controllers, the controllers use 
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this information to compute the control input, and the control input is then sent to the actuators 
so that it can be physically implemented. In order for this communication to take place, a 
communication network is usually deployed across the plant to be controlled. Although wired 
networks have been traditionally used for this purpose, an increasing number of control systems 
now use wireless networks since they are easier to deploy and to maintain. In addition, these 
networks are sometimes connected to the corporate intranet, and in some cases even to the 
Internet. Consequently, modern control systems are becoming more open to the cyber-world, 
and as such, are more vulnerable to attacks that can cause faults and failures in the physical 
process even though launched in the cyber-domain. This realization led to the emergence of new 
security challenges that are distinct from traditional cyber security as highlighted in [1], [2]. 

Real-world attacks on control systems have in fact occurred in the past decade and have 
in some cases caused significant damage to the targeted physical processes. Perhaps one of 
the most popular examples is the attack on Maroochy Shire Council's sewage control system 
in Queensland, Australia that happened in January 2000 [3], [4]. In this incident, an attacker 
managed to hack into some controllers that activate and deactivate valves and, by doing so, 
caused flooding of the grounds of a hotel, a park, and a river with a million liters of sewage [3]. 
Another well publicized example of an attack launched on physical systems is the very recent 
StuxNet virus that targeted Siemens' supervisory control and data acquisition systems which 
are used in many industrial processes [5]. Other cases of attacks have been reported in the past 
years, and we refer the reader to [3] for more real-world examples. 

These examples indicate the clear need for strategies and mechanisms to identify and deal 
with attacks on control systems. 

Previous work related to security for control systems. The design of control and estimation 
algorithms that are resilient against faults and failures is certainly not a new problem. In fault- 
detection and identification [6], [7] the objective is to detect if one or more of the components 
of a system has failed. Traditionally, this is done by comparing the measurements of the sensors 
with an analytical model of the system and by forming the so-called residual signal (in some 
cases, the residual signal actually corresponds to the output of some specifically designed LTI 
system whose inputs are the sensor measurements [6]). This residual signal is then analyzed 
(e.g., using signal processing techniques) in order to determine if a fault has occurred. In such 
algorithms however, there is in general one residual signal per failure mode. As we will see later, 
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in our problem formulation the number of failure modes can be very large and one cannot afford 
to generate and analyze a residual signal for each possible failure mode. In another area, namely 
robust control [8], one seeks to design control methods that are robust against disturbances in 
the model. In general however, these disturbances are treated as natural disturbances to the 
system and are assumed to be bounded. This does not apply in the context of security since the 
disturbances will typically be adversarial and therefore cannot be assumed bounded. This is the 
case also in the area of stochastic control and estimation, where the disturbances are assumed 
to follow a certain probabilistic model, which we cannot adopt for our problem. 

Since these assumptions are not justifiable in the context of adversarial attacks, there has 
been a recent increase in control systems security research [9], [10], [11], [12], [13], [14], 
[15]. In [9], the authors consider the problem of control and estimation in a networked system 
when the communication links are subject to disturbances. The disturbances (corresponding to 
packet losses) are however assumed to follow a certain stochastic process (typically a Bernoulli 
process) which does not necessarily capture the behavior of an attacker. In [10] the authors 
consider a more intelligent jammer who plans his attacks in order to maximize a certain cost, 
while the objective of the controller is to minimize this same cost. The authors showed the 
existence of saddle-point equilibrium for this dynamic zero- sum game and derived the optimal 
jamming strategy for a particular instance of the problem. The results are however derived in 
the case of one-dimensional systems only, which is a main limitation of this work. In [11], 
[12] the authors study the fundamental limitations of attack detection and identification methods 
for linear systems, and for the particular case of power networks. They provide graph-theoretic 
characterization of the vulnerability of such systems to attacks, and furthermore they propose 
centralized and decentralized filters to detect and identify attacks when possible. These filters are 
however computationally expensive and are in general difficult to implement. Another related 
problem that received attention recently is the problem of reaching consensus in the presence of 
malicious agents [14]. The authors characterize the number of infected nodes that can be tolerated 
and propose a way to overcome the effect of the malicious agents when possible. However one 
particularity of these works is that the dynamics is part of the algorithm and can be specifically 
designed, rather than being given as in a physical system. Finally, there has also been recent 
work in the area of real error-correction over adversarial channels, e.g., [16], where adversarial 
noise could be unbounded. However the dynamics of the system does not generally play a role 



March 4, 2013 



DRAFT 



4 



and the correction capability is studied in a static setting that does not take advantage of the 
dynamics of the system. Furthermore, in these works also, the error protection mechanism can 
be designed by suitably choosing the coding matrix, whereas in our case, the plant dynamics is 
given to us. 

Contributions and organization of the paper. In this work we adopt a novel point of view 
inspired from error-correction over the reals [16] which allows us to propose a new estimation 
algorithm that is robust against the attacks and that is also computationally efficient, unlike most 
of the previously proposed approaches. Furthermore, in contrast with some of the previously 
described work, we do not restrict the type of attacks introduced by the attacker on the captured 
nodes (in particular the attacks injected can be of arbitrary magnitude). In our framework, the 
attacks are modeled as sparse vectors that affect the outputs (sensor attacks) as well as the inputs 
(actuator attacks). 

The contributions of this paper can be divided into two main parts: 

1) The first part (section III) deals with the estimation problem in the presence of sensors 
and actuator attacks. We first characterize the resilience of a system and the maximum 
number of attacked nodes that can be tolerated for correct estimation. We then propose 
a computationally feasible decoding algorithm to recover the state despite the attacks. 
This algorithm is inspired from the area of compressed sensing and its relation to error- 
correction over the reals [16]. Finally we show that if we can implement a state-feedback 
law (i.e., change the dynamics matrix A to be A + BK), then one can always increase 
the resilience of a system while still having freedom in choosing the performance (i.e., 
the eigenvalues) of the system. This first part of the paper mainly focuses on attacks on 
sensors for ease of exposition, but we also show at the end of the section how the decoder 
and some of the results can be extended to the case of attacks on actuators. 

2) The second part of the work (section IV) deals with the problem of control with output 
feedback in the presence of attacks on sensors. There we consider the question of designing 
an output-feedback law that stabilizes the system despite attacks on sensors. Our main 
result in this section is to show that if such a stabilizing law exists, then the state can 
also be estimated despite the attacks on sensors. This means that the estimation and the 
stabilization problems in the presence of sensor attacks are in some sense equivalent. 
Hence, when designing an output-feedback stabilization law, one can instead focus on the 
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estimation problem, and use a state estimator resilient to attacks with any standard state- 
feedback law to obtain a stabilizing output-feedback law resilient to attacks (separation of 
estimation and control). 
Preliminary versions of the results appeared in the conference papers [17], [18] as well as in 
the Master's thesis of the first author [19]. 

II. The formal setting and notations 
The formal setting. Consider the linear control system given by the equations: 

x {t+l) = Ax (t) + B(K {t) (y {0 \ . . . , y {t) ) 

(1) 

y W = Cx® + e« 

Here E W 1 represents the state of the system at time t EN, and E M. p is the output 
of the sensors at time t. The control input applied at time t depends on the past measurements 
{y^)o<T<t through the output feedback map The vector E M p represents the attacks 
injected by the attacker in the different sensors, and the vector w^' E M. m represents the attacks 
injected in the actuators. Note that if sensor i E {l,...,p} is not attacked then necessarily 
ef^ = and the output of sensor i is not corrupted, otherwise ef* (and therefore yf') can 
take any value. The sparsity pattern of the attack therefore indicates the set of attacked 
sensors. The same observation holds for the attacks on actuators w^>. 

Note that from a practical point of view, an attack on a sensor could either be interpreted as an 
attack on the node itself (making it transmit an incorrect signal), or it could also be interpreted 
as an attack on the communication link between the sensor and the receiver device. Similarly 
an attack on an actuator could either be interpreted as an attack on the actuator itself, or on the 
communication link from the controller to the actuator. Throughout the paper, we will be talking 
about "attacked nodes" but we will keep in mind that the second interpretation (attack on the 
communication link) is also possible. In section III-B we will actually look at a scenario where 
it is the communication links that are compromised and not the nodes themselves. 

We will assume in this paper that the set of attacked nodes does not change over time. More 
precisely, if K C {1, . . . ,p} is the set of attacked sensors and L C {1, . . . , m} the set of attacked 
actuators, then we have for all t, supp(e^) C K and supp(w^) C L (where Slipp(x) denotes 
the support of x, i.e., the indices of the nonzero components of x). Note that this is a valid and 
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realistic assumption when the time it takes for the malicious agent to gain control of a node is 
large compared to the time scale of the estimation algorithm. Furthermore observe that a model 
where the set of attacked nodes is allowed to change at every time step while having a fixed 
cardinality would in turn not be very realistic since it would assume that the attacker abandons 
from t to t + 1 some of the nodes he had control over. For these reasons, we will assume for 
our model that the sets K and L of attacked sensors and actuators is constant over time (and, 
of course, unknown). 

Moreover, since we are dealing with a malicious agent, we will not assume the attacks ef ^ or 
w^p (for an attacked sensor i or actuator j) to follow any particular model and we will simply 
take them to be arbitrary real numbers. The only assumption concerning the malicious agent will 
be about the number of nodes that were attacked. Our statements will then typically characterize 
the number of attacks that can be tolerated in order to correctly estimate/control the plant. 
Notations. We use the following notations throughout the paper. If S is a set, we denote by |*S'| 
the cardinality of S and by S° the complement of S. For a vector x G W 1 , the support of x, 
denoted by supp(:r), is the set of nonzero components of x and the £ norm of x is the number 
of nonzero components of x: 

supp(x) = {ie{l,...,n}\xi^ 0}, \\x\\ io = |supp(V)|. 

Also, if K C {1, . . . , n}, we let Vk be the projection map onto the components of K (Vrx is 
a vector with \K\ components, e.g., if K = {3,5} then Vrx = (x 3 ,x 5 )). 

For a matrix M € R mx " we denote by M, t e R n the i'th row of M, for % e {1, . . . ,m}. We 
define the row support of M to be the set of nonzero rows of M and we denote by ||M||^ the 
cardinality of the row support of M: 

rowsupp(M) = {i e {1,. . . ,m} \ Mi 0}, ||M||^ = |rowsupp(M)|. 

III. The estimation problem 

In this section we deal with the problem of estimating the state of a linear dynamical system 
in the presence of attacks. Throughout the main part of this section we will assume that attacks 
only occur on the sensors (i.e., no attacks on actuators) for ease of exposition. At the end of the 
section though we show how to extend the results to the case where there are also attacks on 
the actuators. 
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We consider in this section linear dynamical systems of the form: 

X (t+D = Ax (t) 

(2) 

yW = Cx® + e® 

As mentioned before, e'*' G W are the attack vectors injected by the malicious agent in the 
sensors. For simplicity we have also discarded the control input BK®(y(°\ . . . ,y®) since it 
does not affect the results in this section. Indeed the results presented here hold for any linear 
affine system where the state evolves according to x^ t+1 > = Ax® + v® where v® is a known 
input (for more details on this, see section IV-A). 

The problem that we consider in this section is to reconstruct the initial state x^°> of the 
plant from the corrupted observations (y®)t=o,...,T-i- Note that since the matrix A is known, the 
problem of reconstructing the current state x® or the initial state x^ are -at least theoretically- 
equivalent. Therefore, there is no loss of generality in focusing on the reconstruction of x^ 
instead of the current state x^ T ~ l \ 

A. Error correction and number of correctable attacks 

Let x (0) G W 1 be the initial state of the plant and let y (0) , . . . ,y (T_1) G W be the first T 
measurements that are transmitted from the sensors to the receiver device. The objective of the 
receiver device is to reconstruct the initial state a;' ) from these measurements. These vectors 
are given by 

y®^CA t x^ + e®, 

where e® represent the error vector (i.e., the attack vector) injected by the attacker (throughout 
the paper we will use the terms "error vector" and "attack vector" interchangeably to designate 
the vector e® injected by the attacker; the term "error vector" emphasizes the error-correction 
perspective we adopt in this paper). Recall that supp(e^) C K with K C {1, . . . ,p} being the 
set of sensors that are attacked and whose data is unreliable. 

Having received the T vectors y(°\ . . . ,y ( - T ^ 1 \ the receiver uses a decoder D : (W) 1 ->■ R n 
in order to estimate the initial state of the plant. The decoder correctly estimates the initial 
state if D(y(°\...,y( T -V) = x^. 
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We say that the decoder D corrects q errors if it correctly recovers the initial state for 
any set K of attacked sensors of cardinality less than or equal to q. More formally we introduce 
the following definition: 

Definition 1. We say that q errors are correctable after T steps by the decoder D : (MP) — > 
M n if for any G M n , and for any sequence of vectors e^°\ . . . , e^ T ~^ in MP such that 
supp(e (t) ) C K with | if | < q, we have D(y(°\ . . . ,y (T_1) ) = x (0) where y {t) = CVl*a; (0) + e w , 
t = 0,...,T- 1. 

Furthermore, we say that q errors are correctable after T steps (or, equivalently, that the system 
is resilient against q attacks after T steps) if there exists a decoder that can correct q errors after 
T steps. 

Let Eq t T denote the set of error vectors (e (0) , . . . , e (T_1) ) G (M P ) T that satisfy W G {0, . . . , T- 
1}, supp(e w ) C K for some K C {l,...,p} with \K\ < q. Note that E q>T is a union of (^) 
subspaces in (IR P ) T . 

1) Characterization of the number of correctable errors: Observe that, by definition 1, the 
existence of a decoder that can correct q errors is equivalent to saying that the following map 

M n x E q T -»■ (M P ) T 

(3) 

e(°\ . . . , eP"" 1 )) ^ (y(°), . . . , yP"" 1 )) = (Cx^ + e^, . . . , CA T ~ l x^ + e (T-i) } 
is invertible, or, more precisely, that it has an inverse for the first n components of its domain 
(we are only interested in the state x^\ and not necessarily the error vectors). 1 Thus expressing 
injectivity of this map is equivalent to saying that q errors are correctable. This gives the following 
proposition: 

Proposition 1. Let T G N\{0}. The following are equivalent: 

(i) There is no decoder that can correct q errors after T steps; 

(ii) There exists x a ,Xb G IR n with x a ^ Xb, and error vectors (e a , . . . , e a ) G E q ^ and 
(e[ 0) , . . . , ef G E q>T such that A l x a + ei 4) = A l x h + ef for all t G {0, . . . ,T - 1}. 

The proposition above simply says that it is not possible to unambiguously recover the state 

'These two conditions -the existence of an inverse and the existence of an inverse to recover just the first n components- are 
actually equivalent since the attack vectors are uniquely determined by a;' ' and the jp*''s and are given by e^' = t/*' — CA*x °' . 
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if there are two distinct values x a and x b with x a ^ x b that can, with less than q corrupted 
sensors, explain the received data. 

Note that the domain of the map defined in (3) is the Cartesian product of the whole E n 
with the error set E Q:T which is unbounded. This means that we require the decoder to recover 
any initial state x^ for any sequence of error vectors from E q ^ T . In practice however one could 
consider only vectors x^ in some set Q C W 1 if one has prior knowledge on the initial state (for 
example, if the states are all nonnegative, say for physical reasons, then one could take = IR™ ). 
Similarly, if the attacker has a finite amount of energy then we could envisage considering only 
elements of E q ^ in a certain ball of finite radius. We do not however pursue this here, and 
we assume in particular that the initial state of the plant can be anywhere in W 1 and that the 
magnitude of the errors can be arbitrary. 

We now give a necessary and sufficient condition for q errors to be correctable that is simpler 
than the one in proposition 1. 

Proposition 2. Let T G N\{0}. The following are equivalent: 

(i) There is a decoder that can correct q errors after T steps; 

(ii) For all z G R n \{0}, \supp{Cz) U Supp(CAz) U • ■ ■ U SUpp{C A T ~ X z)\ > 2q. 

Proof: (i)=^ (ii): Suppose for the sake of contradiction that there exists z G IR"\{0} such 
that |supp(Cz)USupp(CAz)U- • •USupp(CA T_1 2)| < 2q. Let L a and L b be two disjoint subsets 
of {1, . . . ,p} with \L a \ < q and \L b \ < q such that L a UL b = Slipp(C,2) U ■ ■ ■ U SU^{CA T ~ 1 z) 
(such L a and L b exist since |supp(C;z) U Supp(CVLz) U ■•■ U Supp(C A T ~ l z)\ < 2q). Let 
ea 1 = CA t z\L a be the vector obtained from CA t z by setting all the components outside of L a 
to 0, and similarly let = -CA l z\ Lb . Then we have CA l z = ei* } - with supp(ei <} ) C L a 
and supp(e[* ) ) C L b with \L a \ < q and \L b \ < q. Now let, for t G {0,...,T - 1}, yW = 
CA*z + ef = CAt-O + e®. If q errors were correctable after T steps by some decoder D then 
we would have D(y(°\ . . . = z and also D(y(°\ . . . ,y^ T ~ 1 ' } ) = which is impossible 

since z ^ 0. 

(ii)=^ (i): We again resort to contradiction. Suppose that q errors are not correctable after 
T steps: this means there exists x a ^ x b , and error vectors ■ ■ ■ ,ei T_1 ' ) (supported on L a 
with \L a \ < q) and , . . . , e[ T_1 ^ (supported on L b , with \L b \ < q) such that CA l x a + = 
CA l x b + ef for all t G {0, . . . , T - 1}. Now let z = x a - x b ^ 0. If we let L = L a U L b , then 
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we have \L\ < 2q, and we have for all t e {0, . . . , T - 1}, SUpp(CA t z) C L which shows that 
(ii) does not hold. ■ 

It is interesting to note the connection of the proposition above with the definition of a q- 
error-correcting linear code in the context of coding over the real numbers. A matrix C E W xn 
(with p > n) defines a g-error-correcting linear code if for any z ^ 0, |supp(Cz)| > 2q (see for 
example [20, §3]). This is precisely the condition we obtain from the previous proposition when 
T = 1 or when there is no dynamics. 

It is also interesting to observe that the proposition above shows that one cannot recover the 
initial state until the observability matrix given by 

C 

CA 
CA T ~\ 

has rank n. Indeed, if the observability matrix has rank smaller than n then it has a nontrivial 
kernel and there exists 2 ^ such that Cz = CAz = ■ ■ ■ = CA T ~ 1 z = 0. This shows, 
by the above proposition, that "0 errors cannot be corrected", or in other words, that one 
cannot reconstruct even if there are no errors in the y(°\ . . . ,y < ^ T ~ 1 \ The condition stated 
in proposition 2 can therefore be seen as a generalized condition for observability of a linear 
dynamical system when the observations are corrupted (as per the model considered here). 

Observe also that the characterization of proposition 2 shows that the maximum number of 
correctable errors cannot increase beyond T = n measurements. Indeed, this is a direct conse- 
quence of the Cayley-Hamilton theorem since we have for any z and for t > n, Supp(C A 1 z) C 
Supp(C^) U Siipp(CAz) U ■ ■ • U Supp(CA n ~ 1 z). 

Finally, one can also directly see from the same proposition that the number of correctable 
errors is always less than p/2, for any T. It turns out actually that generically (i.e., for "almost 
all" systems (A, C)), the number of correctable errors is maximal and equal to \p/2 — 1]. 

Proposition 3. For almost all 2 pairs (A, C) G IR nxn x W xn the number of correctable errors 
after T = n steps is maximal and equal to \p/2 — 1]. 

2 That is, except on a set of Lebesgue measure zero 
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Proof: We defer the proof of this proposition to section III-F where we prove a more general 
result that takes into account attacks on actuators (cf. proposition 8). ■ 
2) Computing the number of correctable errors: Even though for almost all pairs (A, C) the 
number of errors that can be corrected is maximal (equal to \p/2 — 1] for T = n), the problem 
of actually computing the number of errors that can be corrected for a given pair (A, C) after 
a given number of steps T is a hard problem in general. Actually one simple yet expensive 
algorithm is to look for the smallest \K\ where K C {1, . . . ,p} for which the following matrix 
has a nontrivial kernel: 

V K cCA 
V K .CA T -\ 

If s is the cardinality of the smallest K for which this matrix has nontrivial kernel, then by 
proposition 2 the maximum number of correctable errors is \s/2 — 1] . This algorithm is however 
computationally expensive and requires computing the rank of 2 P matrices in the worst-case. A 
recent result [21] shows that it is very unlikely that there is a more efficient way to perform the 
computation 3 . 

B. Increasing the number of correctable errors by state feedback 

In this section we consider the question of whether it is possible to make a given system (A, C) 
more resilient against attacks by modifying the parameters of the system. More specifically, if 
B is some given matrix, we look at the problem of designing a matrix K so that the pair 
(A + BK, C) is resilient against a large number of attacks, while it satisfies at the same time 
other design constraints. 

From a practical point of view, this question can be motivated by the following scenario 
depicted in Figure 1: we first assume that the physical system possesses a local control loop that 
has direct access to the state of the plant and that can control the evolution of the physical system. 
This is possible for example if the sensors are connected to the local controller through a wired 

3 In the special case T = 1 of error correction without dynamics, the number of errors that can be corrected is directly related 
to the spark of a matrix F that annihilates C, i.e., such that FC — (see [16, §I.G]). The spark of a matrix F is the smallest 
number of columns that are linearly dependent. According to the recent paper [21], computing the spark of a matrix is NP-hard. 
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Sensors 




communication links 
subject to attacks 



x + =(A+BK)x 



Fig. 1. Scenario where a local control loop has direct access to uncorrupted sensor information. Using this local control loop, 
the evolution of the physical system will be governed by the matrix A + BK where A is the open-loop matrix, B is the control 
matrix, and K can be chosen arbitrarily. The objective is to find K such that the pair (A + BK, C) is resilient against a large 
number of attacks. Choosing such a K will allow the higher level supervisory control and monitoring system to recover the 
correct state despite attacks in the communication links between the sensors and the supervisory system. 



link that is not subject to external attacks. If the local control loop implements a feedback law of 
the form u = Kx then the evolution of the physical system is governed by the matrix A + BK. 
Also, and as part of the overall plant, a high-level supervisory and monitoring system receives 
measurements from the sensors through wireless and vulnerable communication links that are 
subject to attacks. Observe that the choice K of the local controller will affect the resilience 
of the system to attacks, i.e., how many errors are correctable by the supervisory system. The 
objective here is therefore to design K in order to make the number of correctable errors of the 
pair (A + BK, C) as large as possible. 

Note that there are other design constraints that come into play in the choice of the local 
feedback law. Typically K is chosen so that the eigenvalues of A + BK are inside the unit disc 
so that the resulting closed-loop system is stable. It is known by the pole placement theorem 
that this is possible if the pair (A, B) is controllable [22]. 

In this section we ask if one can also enforce the requirement that the number of correctable 
errors of the new pair (A + BK, C) is large, without losing the freedom of choosing the 
eigenvalues of A+BK. We show in this section that the answer is yes, and that if the pair (A, B) 
is controllable, then it is possible to choose K such that \p/2 — 1] errors are correctable for 
(A + BK, C) and such that the eigenvalues of A + BK are in any arbitrary (or almost arbitrary) 
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prescribed locations in the complex plane. In other words, by an adequate choice of the local 
control law, one can make the system more resilient to attacks (the number of correctable errors 
\p/2 — 1] is the maximum possible), without compromising the control performance. 
More specifically, we have the following result 4 : 

Proposition 4. Let A £ R nxn , B £ R nxl and C £ R pXn and assume that the pair (A, B) 
is controllable. Then there exists a finite set F C C such that for any choice of n numbers 
Ai, . . . , A n £ C\F such that the Xi's have distinct magnitudes, there exists K £ M} xn such that: 

• the eigenvalues of the closed-loop matrix A + BK are Ai, . . . , A n . 

• the number of correctable errors after n steps for the pair (A + BK, C) is maximal (equal 
to fa/2 -11). 

In order to prove this result, we make use of the following lemma: 

Lemma 1. Let A £ ]R nxn and C £ IR pxn . Assume that A has n eigenvalues all with distinct 
magnitudes (in particular A is diagonalizable). Then the following are equivalent: 

(i) q errors are correctable for (A,C) after n steps. 

(ii) for every eigenvector v of A, \supp{Cv)\ > 2q. 

Proof: 

• (i) =^ (ii): This direction simply corresponds to taking x to be an eigenvector of A in the 
condition |supp(Cx) U • • • U Supp(CA"" 1 x)| > 2q of Proposition 2. 

• (ii) =3- (i): We assume that all eigenvectors v of A satisfy |supp(Ct>)| > 2q and we will 
show that for any x ^ 0, we have |supp(Cx) U Slipp(CVlx) U ■ ■ ■ U Supp(CA"~ 1 a;)| > 2q. 
The idea here is that if x ^ then for t large enough the vector A l x will be very close to 
an eigenvector w of A, and hence the support of CA l x will have more than 2q elements 
since |supp(C^)| > 2q. More formally, let x £ IR n \{0} and consider the decomposition of 
x in the eigenbasis of A: x = J2i=i a i v i w i m at ^ for at least one i, and where v±, . . . ,v s 
are eigenvectors of A associated with eigenvalues Ai, . . . , X s . Since the eigenvalues of A 

4 We deal only with the single-input case here but the multi-input case can be handled using the same arguments. Moreover, 
the condition for {A^} to have distinct amplitudes is not much of a restriction since one can always choose the A^'s to satisfy 
this condition and the consequences in terms of performance are negligible. 
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have distinct magnitudes we can assume that |Ai| > |A 2 | > ■•■ > |A S |. We isolate the 
largest eigenvalue in this decomposition and we denote A = Ai and w — V\. Now we 
have (A t x — ai\ t w)/X t — > when t — > +00. Let S = Supp(Cw). Note that since w is 
an eigenvector of A we have \S\ > 2q (by assumption). We'll now show that for t large 
enough, the support of CA l x contains S: let (3 = min^s |(Cty)j| and observe that clearly 
> 0. Let t be large enough so that ^ C< " A X ^/ X — < (3/2 for alH G S. Now we have, for 
% G S: 

r^-ACA^li > (\X*Cw\i - \CA l x - X'Cwli) > 13- (3/2 = (3/2 > 0. 
II 1^1 

Hence S C Supp(CA*x) for large enough t. But since we have Supp(Cy4*x) C Supp(Ca;)U 
Supp(C7Lc)U- • ■USupp(CA"~ 1 x) by the Cayley-Hamilton theorem, we have S C Supp(Cx)U 
Supp(C Ax) U ■ • ■ U Supp(Cyl n_1 x). Finally since this is true for any x / 0, and since 
\S\ > 2q, we conclude by 2 that q errors are correctable after n steps. 

■ 

We now use this lemma to prove Proposition 4: 
Proof: (Proof of Proposition 4) 
To prove the result, we will show that if the chosen poles Aj, . . . , A n have distinct magnitudes 
and do not fall in some finite set F, then there is a choice of K such that the eigenvalues 
of A + BK are exactly the Ai, . . . , A n , and the corresponding eigenvectors Vi are such that 
|supp(Cfj)| = p. Thus, by the previous lemma, this will show that the number of correctable 
errors for (A + BK, C) is \p/2 - 1] . 

First note that if A is an eigenvalue of A + BK and x is a corresponding eigenvector, then 
we have Ax + BKx = Xx, or, if (XI — A)^ 1 is well defined, x = (XI — A)~ l BKx, i.e., x is 
proportional to the vector (XI — A)~ 1 B (since Kx is a real number). This means that if A is an 
eigenvalue of A + BK, then necessarily the corresponding eigenvector is (XI — A)~ 1 B. 

We will therefore look for values of A for which C(XI — A)~ 1 B has full support. 

Let i G {1, . . . ,p} be fixed and denote by the vector in IR P that has a 1 in the ith component 
and zeros elsewhere. Note that since (A, B) is controllable there exists A such that efC(XI — 
A)- 1 B (see [22, Chapter 3, Theorem 2.17(H)]), and in fact the set F % = {X G C | efC(XI- 
A)~ 1 B = 0} C C is finite (zeros of a non-identically-zero rational fraction). 

Now consider F = (U" =1 Fj), and let Ai, . . . , A n be any choice of n numbers in C\F with 
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distinct magnitudes. We will show that there exists K such that the eigenvalues of A + BK are 
the X'jS and the eigenvectors Vj are such that Cvj has full support. 

By controllability of (A, B) there is a K such that the eigenvalues of A + BK are the A/s. 
We know that the eigenvectors of A + BK are the t> j = (Xjl — A)~ 1 B. Now by the choice of 
the A/s and by the definition of F we know that for all j and for any i, eJC(XjI — A)~ l B ^ 0. 
In other words, for any j, the vector Cvj has full support. Hence, by lemma 1, the number of 
correctable errors of (A + BK, C) is maximal. ■ 

C. Optimization formulation of the optimal decoder 

In the previous sections we have discussed and quantified the resilience of a given system 
(A, C) by characterizing the maximum number of attacks that are tolerable so that the initial 
state of the system could still be exactly recovered. We saw that if the system (A, C) satisfies 
the condition 

|supp(CV) U ■ ■ ■ U SUpptCVL^z) | > 2q, \/z^0 (4) 

then it is possible to correct any attacks on q sensors using the T observations y(°\ . . . ,y^ T ^ 1 \ 
We did not discuss however how to actually recover the state from the observations. In this 
section we focus on the problem of constructing a decoder that can correct any number q of 
errors as long as q satisfies the condition (4) above. 

Consider the decoder D$ : (W J ) T -> R n defined such that D% (y (0) , . . . 

; y( T !)) i s optimal 

x solution of the following optimization problem: 
minimize \K\ 

x£R n ,Kc{l,...,p} (5) 

subject to supp(?/ (t) - CA^) c K for t <E {0, . . . , T - 1}. 

Observe that the decoder D$ looks for the smallest set K of attacked sensors that can explain the 
received data y(°\ . . . ,y ( ^ T ^ 1 \ We show in the next proposition that the decoder Dq is optimal 
in terms of error-correction capabilities. 

Proposition 5. Assume that q errors are correctable after T steps, i.e., that (4) holds. Then the 
decoder D$ corrects q errors, i.e., for any x^ G W 1 , and any e^°\ . . . , e^ T_1 ^ in MP such that 
Sfipp(e (t) ) C K with \K\ < q, we have D%(y(°\ . . ., y (T_1) ) = x (0) where y® = CA^^ + e w . 
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Proof: Let x^ and the e^'s satisfy the stated assumptions, with Supp(e^- ) ) C K and 
yW = CA l + e". Assume for the sake of contradiction that the feasible point (x^°\ K) is 
not the unique optimal point for (5). Hence there exists x a ^ x^°\ and ei°\ . . . , ei T_1 ^ with 
supp(ei t ' ) ) C K a that generate the same sequence y(°\ . . . , t/ t_1 ) of observed values, with in 
addition, \K a \ < \K\ < q. We therefore have two different initial conditions a;^ ^ ^ x a and two 
different error vectors corresponding to less than q attacked sensors that generate exactly the 
same sequence of observed values. This exactly means that q errors are not correctable after T 
steps which contradicts the assumption. ■ 
The proposition above therefore shows that the decoder Dq is the best decoder in terms of 
error-correction capabilities, since if any decoder can correct q errors, then can as well. One 
issue however is that the optimization problem (5) is not practical since it is NP-hard in general. 
Indeed for the special case T = 1 (corresponding to the case of "static" error-correction over 
the reals mentioned earlier) the decoder becomes 

minimize \\y — Cx\\t n (6) 

(where ||^||^ = |supp(^)|) which is known to be NP-hard (see for example [20]). 

However, in [16], Candes and Tao proposed to replace the £ "norm" by an l\ norm, thereby 
transforming the problem into a convex program that can be efficiently solved: 

minimize lly — CxIL. 

It was then shown in [16] that if the matrix C satisfies certain conditions, then the solution of 
this convex program is the same as the one given by the i optimal decoder. In the next section 
we consider this transformation in the context of our problem. 

D. The l\ decoder: a relaxation of the optimal decoder 
For T G N\{0}, consider the linear map $( T ) defined by: 
$ (T) : W l -»■ W xT 

x i-)> Cx | CAx | ... | CA T ~ x x 

Furthermore, if y(°\ . . . , E W, let the p x T matrix formed by concatenating the 

j/W's in columns: 



yen 



y(0) | yW I ... I y(T-l) 



e R pxT . 
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Recall that for a matrix M e M. pxT with rows M u . . . , M p e R T the £ "norm" of M is the 
number of nonzero rows in M: 

\\M\\ i0 = |rowsupp(M)| = \{ie{l,..., P }\Mi^ 0}|. 

Observe that the optimal decoder Dq introduced in the previous section can be written as: 

ZW°), . . . , y^) = argmin ||Y^ - ^x\\ io . 

As we saw in the previous section, this decoder finds the minimum number of attacked sensors 
that can explain the received data y(°\ . . . , y^ -1 '. 

Analogously to [16], we can define an i\ decoder which, instead of minimizing the number 
of nonzero rows, minimizes the sum of the magnitudes of each row. Specifically, if we measure 
the magnitude of a row by its £ r norm in R T (for r > 1), we obtain the following decoder Dfy. 

Dl r {y^\ y {T ' l) ) = argmin \\Y^ - & T} x\\h/tr (7) 

where, by definition, ||M||4« r is the sum of the £ r norms of the rows of the matrix M: 

v 

\\M\u 1/ir = j2\\ M ^- 
i=i 

Note that the optimization problem in (7) is convex and can be efficiently solved. Also note that 
such "mixed" l\j£ r norms were also used in the compressed sensing literature in the context of 
joint-sparse and block-sparse signal recovery [23]. 

We saw in Proposition 2 that the number of errors that can be corrected by the optimal 
£ decoder D$ is equal to the largest number q such that |supp(C,2) U Supp(CAz) U • • • U 
SUpp(CA T ~ 1 2)| > 2q for all z ^ 0. 

The next proposition characterizes the maximum number of errors that can be corrected by 
the £\j£ r decoder Df r . 

Proposition 6. The following are equivalent: 

(i) The decoder Df r can correct q errors after T steps. 

(ii) For all K C {1, . . . ,p} with \K\ = q and for all G = with z e R n \{0} we have: 

X)H G *lk- < E ll G *ll^- (8) 
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Proof: (i) =>- (ii): Suppose for the sake of contradiction that (ii) does not hold. Then 
there exists K C {l,...,p} with \K\ = q, and G = & T) z e M. pxT with z ^ such that 
J2i£K \\Gi\\i r > J2i£Kc \\Gi\Ur- Let x° = and define the fC-supported error vectors for 
t G {0, . . . , T — 1} by ef' 1 = Gj t if z 6 ii' and ef^ = otherwise. Now consider = 
CA t x° + e" = e« and let F^ T ^ be, as before, the p x T matrix obtained by concatenating the 
y (t) 's in columns. Note that rowsupp(T (T) ) = K, and that f/ t) = ($ (T) ;z)j for all z e K.We 
will now show that the objective function for (7) at z ^ is smaller than at x° = 0, which will 
show that the decoder Dj r fails to reconstruct x^ from the ?/^'s. This will show that (i) is not 
true. Indeed we have: 

iii^) - ^ z \\ h/tr = £ \\(Y^ _ *m z)iU = y: \\GtU 

8=1 i£K c 
n 

< E ii G <ik = E n( y(T) - $(r) *°)<ik = \\ Y(T) - * m AW/ir- 

iGK 1=1 

(ii) =>■ (i): We again resort to contradiction. Suppose that (i) is not true. This means there exists 
x (0) , and e (0) , . . . , e (T_1) with supp(e^) C K with \K\ < q such that Df r (y^\ . . . , y (T " 1} ) ^ 
a;^ ^ where = CA t x^ + (i.e., the decoder Dj r fails to reconstruct x^ from the y(t)'s). 
By definition of the decoder Dj r , this means that there exists x ^ x^ that achieves a smaller 
£i/£ r objective than x^: 



Eii(^ (T) -^ (T) ^ik<Eii( F(T) - $( ^' mi., 



i=l i=l 

Now let z = x - x<® ^ 0, and let G = = U - V with U = - $( T V°) and 

V = - ^x. We have 

E W Gi ^r = E W U * ~ WW > E IMk - ll^lk 

Now since rowsupp(£7) C K, and since x achieves a smaller i\ji r objective than x°, we have 

Ei 6 x ll^lk = J2i=i Wihr > Y7i=i Wi\W- Hence we have 

E ll^lk > E IMk - E iMk = E IMk = E U G <lk 

ieif 1=1 ieif ie-R" c ieA' c 

where the last equality is because rowsupp(£7) C if. Hence (ii) is not true. ■ 
Observe that, as expected, if the i\/t r decoder can correct q errors, then the £o decoder can 
correct q errors as well. Indeed, if we assume the opposite, then by Proposition 2 there exists 
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z ^ such that |supp(C,2) U • • • U Supp(C 'A T ~ l z)\ < 2q, which is equivalent to saying that 
|rowsupp($ (T) 2;)| < 2q. Now let G = $ (T) z and let K be the q rows of G with the largest £ r 
norms, then we clearly have J2ieK \\Gi\\ir — J2i^K c \\Gi\\e r ' which contradicts the condition of 
the previous proposition. 

As a matter of fact, the condition of the previous proposition (for the l\jl r decoder) is in 
some sense a more quantitative version of the condition of proposition 2 for the i decoder. The 
two conditions guarantee that the row components of &( T ^z are sufficiently spread and are not 
too concentrated on a small subset of the rows. 

As an illustration, consider the simple example where the number of sensors is p = n and 
C = I n (i-e-, we have one sensor per component of the state x G M n ) and where A is the cyclic 
permutation given by: 



.4 



1... 

: : "•• 

0... 1 

10 ... 



(9) 



z Az ... A n ~ x z 



It is easy to see that after T = n, the rows of the matrix $( n )^ = 
are identical up to a permutation, and so the i r norm of any two rows of & T ^z are equal. 
This shows that for any subset K of rows with \K\ < n/2, we have ^2 iEK || (& n ^z)i\\e r < 
YlieKc \\(^ nS>z )ihr> which shows that the i\ji T decoder can correct a maximal number of errors 
after n steps, namely, \n/2 — 1]. 

Finally note that the condition of Proposition 6 for the l\jl r decoder corresponds to the 
well-known "nullspace property" in compressed sensing and sparse signal recovery [24]. 

E. Numerical simulations 

In this section we show the performance of the proposed decoding algorithm first on a random 
toy example and then on a more realistic system modeling an electric power network. 

1) Random system: We first consider the £1/^2 decoder on a system of size n = 25, p = 20 
where A e R 25x25 and C G ]R 20x25 have iid Gaussian entries. For different values q of attacked 
sensors, we tested the decoder on 200 different initial conditions a;^ ^ and attacked sensors 
K C {l,...,p} with I If I = q. The initial conditions were randomly generated from the 
standard Gaussian distribution, and the attack sets were chosen uniformly at random from the 
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set of subsets of {1, ... ,p} of size q. Figure 2a shows the fraction of initial conditions that were 
correctly recovered by the Ei/iz decoder (cf. equation (7)) in less than T = 15 time steps for 
the different values of q. We see that for q less than 6 all the initial conditions were correctly 
recovered in less than T = 15 time steps. Figure 2b shows the number of time steps that it 
took in average to correctly recover the initial state, as a function of the number of corrupted 
components q. We see that as q increases, more measurements were needed to correctly recover 
the state of the system. 

For each simulation, the attack values (i.e., the values injected by the attacker in the compo- 
nents K) were chosen randomly from a Gaussian distribution. In order to illustrate the fact that 
the decoder can handle unbounded attacks, the magnitude of the attacks were chosen to be 20 
times larger than the magnitude of the state. Furthermore, the matrix A was appropriately scaled 
so it has a spectral radius of 1. The optimization problems were solved using CVX [25]. 



Avg. # of time steps for correct recovery 

■ml 

1 2 3 4 5 6 
Number of attacked sensors (q) 

(a) (b) 

Fig. 2. Performance of I1/I2 decoder on a randomly chosen system with n — 25 states and p = 20 sensors. We see that when 
the number of attacked sensors is small enough, the can still recover the exact state of the system (left). As the number 

of attacked sensors increases, more measurements are needed to correctly recover the state of the system (right). 

2) Electric power network: In this section we apply the proposed decoding algorithm on a 
model of an electric power network and more specifically on the IEEE 14-bus power network 
[26]. The network, depicted in Figure 3a is composed of 5 synchronous generators and a total 
of 14 buses. The system is represented by 2 x 5 = 10 states giving the rotor angles Si and the 
frequencies Ui = dSt/dt of each generator. Under some simplifying assumptions the evolution of 
the system can be captured by a linear difference equation corresponding to the linearized swing 



Fraction of initial conditions correctly recovered 
with 11 decoder vs. number of attacked sensors (q) 4 




5 10 15 20 



Number of attacked sensors (q) 
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equations (see [27] for the derivation of the equations). We assume, like in [28], that p = 35 
sensors are deployed and measure at every time step the real power injections at every bus (14 
sensors), the real power flows along every branch (20 sensors), and the rotor angle at generator 
1 (1 sensor). 

For different values of attacked sensors q, we ran 200 simulations with different sets of attacked 
sensors K of cardinality q, and different initial conditions x^ that were randomly generated 
like in the previous example. In the simulations we did not allow the last sensor measuring the 
rotor angle to be attacked. Indeed if this sensor is attacked then there is no hope of correctly 
recovering the state since the system becomes unobservable. The £ 1 decoder we used however 
is the one described in Section III-D and did not incorporate the knowledge of the unattacked 
sensor in any way. Figure 3b shows the number of simulations (out of the 200) where the state 
was correctly recovered using the Ixjt^ decoder in less than T = 10 steps. Observe that 
for q < 4 the success rate of the decoder was 100%. Furthermore when q < 12 the decoder 
correctly recovers the state in more than 90% of the cases. These simulations show that the t\li r 
decoder works very well in this example and therefore is a promising practical technique. 



Fig. 3. Performance of the £i/£oc decoder on the IEEE 14-bus power network example. The decoder successfully recovered 
the state of the system when the number of attacked sensors was less than 4. When the number of attacked sensors was less 
than 12, the decoder recovered the correct state in more than 90% of the cases. 

F. The case of attacks on actuators 

In this section we incorporate into our model attacks on actuators (in addition to attacks on 
sensors) and we study the resilience of linear control systems to such attacks. Consider a plant 
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(10) 



that evolves according to the equations: 

X ( t+ V = Ax® + B(KV(y(°\ 

yW = CX® + eW 

where A e R nxn ,B e R nxm ,C e W xn and (K®)t= ,i,... is an output-feedback control law. 
As before the vectors e® represent attacks on sensors. The vectors represent attacks on 
actuators: if actuator j e {1, ...,m} is not attacked, then w® = 0, otherwise actuator j is 
attacked and Wj can be arbitrary. The set of attacked actuators will typically be denoted by L. 
In this section we will use the letter q to denote the total number of attacked nodes (sensors and 
actuators), q = \K\ + \L\. 

Our objective is to monitor the state of the plant from the observations y®. More formally if T 
is some time horizon, we wish to reconstruct the sequence 5 of states x^°\ . . . , x^ T ~^ from the ob- 
servations y(°\ . . . , y( T ~ lS) . Observe that reconstructing the sequence x^°\ . . . , x^ T ^ is equivalent 
to reconstructing the initial condition x^ and the vectors Bw^°\ . . . , Bw^ T ~ 2 \ Now this recon- 
struction is possible if, and only if, the map that sends the tuple (x^°\ Bw^°\ . . . , Bw^ T ~ 2 \ e^°\ . . . 
to the corresponding outputs (y^°\ . . . , ?/ T_1 )) is injective. Using the notation 

o" 

C ... 

CA C ... 



CA T - X 
this map is given by 



C 

CA 



Mi 



CA T ~ 2 CA T ~ 3 ... C 



apTxn(T-l) 



(z<°>, Bw®\ Bw^ T - 2 \ e (°>, . . . , e^" 1 )) H- O t x^ + M T 







" e (o) " 




+ 








e (T-D 



~ Observe that in the previous section where we dealt with attacks on sensors only, the objective was to only reconstruct the 
initial state x' ' since we could then simply use the dynamics to propagate the initial condition and obtain a;' 1 ', a;' 2 ', . . . , x^ T ~ 1 \ 
When considering attacks on actuators, using the dynamics to propagate the initial state requires the knowledge of the attacks. 



Hence in this section we explicitly ask for the recovery of the whole sequence x 



(0) 



r ( T i)_ Note also that one could 



introduce a delay parameter d G N and ask for the recovery of the states up to time T — 1 — d only. The results in this section 
can easily be extended to this case, however for ease of exposition we consider only the problem of recovering the whole 
sequence of states up to the current time T — 1. 



March 4, 2013 



DRAFT 



23 



If this map is injective when the iwW's and e^'s are restricted to have less than q nonzero 
components combined (i.e., \K\ + \L\ < q), we say that q attacks are correctable, or equivalently, 
that the system is resilient against q attacks. More formally we have the following definition: 

Definition 2. Let a control system of the form (10) be given. We say that q attacks are correctable 
after T steps (or equivalently, that the system is resilient against q attacks after T steps) if there 
exists a decoder D : (W) T -> (IR") r such that for any x (0) E R n , for any w {0 \ w {T - 2) with 
Slipp(w; w ) C L and any e (0) , . . . , e (T_1) with supp(e (t) ) C K with \K\ + \L\ < q we have 

D(y(°\ . . . , y^) = Bw<®, Bw^). 

The previous discussion leads to the following proposition which gives a characterization of 
the resilience of a linear control system to attacks on sensors and actuators: 

Proposition 7. Let a control system of the form (10) be given. The following are equivalent: 

( i) The system is not resilient against q attacks after T steps 

(ii) There exists x^O, and vectors w (0 \ . . . , u> (T ~ 2) and e (0) , . . . , e (T_1) with \supp(w (0) ) U • • • U 
Slipp(w {T ~ 2) ) \ + \supp(eW) U ■ • • U Si;pp(e (T ' 1) )| < 2q such that 









' e(°) " 


O T x {0) + M T 




+ 










e (T-l) 



Observe that if a system is resilient against q attacks then necessarily q < p/2. Indeed if q 
attacks (i.e., sensor and actuator attacks) are correctable, then necessarily q sensor attacks are 
also correctable which implies that q < p/2 using the earlier results of section III- A. We now 
show that for most systems the number of correctable errors is maximal and equal to \p/2 — 1] . 

Proposition 8. For almost any 6 triple (A,B,C), the number of correctable errors (sensor and 
actuator errors) after T = n steps is maximal and equal to \p/2 — 1]. 

Proof: Using the notations above for Ot and A4t, consider the matrix 



Sn 



6 That is, except on a set of Lebesgue measure zero 



T Mt IpT 



(ID 
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where I p t is the pT x pT identity matrix. Note that St is a pT x (n + m(T — 1) + pT) matrix 
and its coefficients are all polynomial in the coefficients of A, B, C. 

Let K C {1, . . . ,p} and L C {1, . . . ,m} with + |L| = q and consider the following 
submatrix of St 



q K,L 



Ot Mk I5r 



(12) 



obtained by keeping the columns indexed by L in each of the T — 1 column blocks of M. T and 
those indexed by K in each of the T column blocks of I p t. Therefore S T ' has pT rows and 
n+ \L\(T— 1) + \K\T columns. For a given triple (A, B, C), saying that q errors are correctable 
is equivalent to saying that for any attack pattern (K, L) such that \K\ + \L\ < 2q the map Sj' L 



T 

is injective (cf. point (ii) in proposition 7). 

We will now show that if \K\ + \L\ < p, then for almost any triple (A, B, C) the matrix S^' L 
is injective. Indeed note first that if q < p, then S^ ,L has more rows than columns if the horizon 
T is large enough and greater than n: 

ncols(5^' L ) = n+\L\(T-l) + \K\T = n - \L\ + qT 

<n-\L\ + (p- 1)T = pT + (n - \L\ —T)<pT — nrows(5^' L ) 

where ncols denotes the number of columns and nrows denotes the number of rows. Hence S^' L 
is a polynomial matrix in A, B,C that has more rows than columns and thus for almost any 
choice of (A,B,C), it is injective. 7 In other words, we showed that the set of (A,B,C) for 
which S^ ,L is not injective has Lebesgue measure 0. 

Therefore, since there are only finitely many attack sets K and L, the set of triplets (A, B, C) 
for which there exists K C {1, . . . ,p} and L C {1, . . . , ra] with \K\ + \L\ < p such that S^' L is 
not injective has Lebesgue measure zero. Hence this means that for almost any triple (A, B, C) 
the number of correctable errors is maximal (and equal to \p/2 — 1]) when T >n. ■ 

7 Indeed observe first that there exists a particular choice of A, B, C such that S^' L is injective: take for example A to be the 
circular permutation matrix [see equation (9)], B — 0, and C to be the projection on the first p components. Consider now the 
determinants of the submatrices of S^' L which are polynomials in the coefficients of A, B, C. Each one of these polynomials 
is not identically zero -because there exists a particular choice of A, B, C such that S^' L is injective- and so the zero set of 
each of these polynomials has Lebesgue measure zero, thus the union of these zero sets has Lebesgue measure zero, and so this 
means that for almost any choice of A, B, C the matrix S T ' L is injective. 
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a) An explicit decoder: We now consider the problem of designing a decoding algorithm 
that recovers the sequence of states despite attacks on sensors and actuators. We show that one 
can formulate the decoding problem as an optimization problem, in the same way we did when 
there were only sensor attacks. Indeed assume we have received measurements y(°>, . . . ,?/ T - 1 ) 
and that we wish to reconstruct the sequence of states x^°\ . . . ,x ( - T ~ 1 \ Then this can be done 
by solving the following optimization problem: 

minimize \K\ + \L\ (13) 

subject to supp(e w ) C K, supp(w (t) ) C L 

y it) = cs ,(t) + ~(t) 

The optimization variables are indicated by a "hat" (e.g., x^\ etc.); the other variables (namely, 
an d ar e given. The optimization program above finds the simplest possible explanation 
of the received data y(°\ . . . ,y ( - T ^ 1 \ i.e., the one with the smallest number of attacked nodes. 
One can easily show that if the system is resilient against q attacks (in the sense of definition 2), 
and if the number of actual attacks is less than q, then the output of the optimization problem 
above gives the correct sequence of states, i.e., x^ ' = x^ ', . . . ,x^ T_1 ^ = x^^. 

Unfortunately though, and as we mentioned earlier, solving this optimization problem is hard 
in general. We can however use the same ideas used previously to relax the decoder by replacing 
the "£o" norm (that measures the cardinality of the attack set) by an i\ norm. When considering 
attacks on actuators in addition to attacks on sensors this relaxation leads to the following 
tractable decoder: 

minimize Zti ll^lk + A E^i ll^ilk ( 14 ) 
subject to Ei = (e\°\ . . . , e- T_1 ^) 

y {t) = C& (t) + g(t) 

For each i the auxiliary variables Ei G IR T and Wi G IR T carry the i'th components of the attack 
vectors over the time horizon t = 0, . . . ,T — 1. Thus if H-EjH^ = then ef 1 = for all t = 
0, . . . , T— 1 and the z'th sensor is not attacked, and similarly if || Wi\\e r = then the i'th actuator is 
not attacked. Now observe that the objective function Y^=i ll-^lk+^ YlT=i ll^ll^ ^ s nothing but 
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a weighted sum of the i\ norms of the vectors (||-Ei||^.)i=i,..., p € W and (||Wi||£ r )i=i,..., m € K m . 
Note that we have introduced a tuning parameter A to control the relative weight between the term 
corresponding to the attacks on sensors and the term corresponding to the attacks on actuators. 

b) Numerical simulations: To illustrate the behavior of the i\ decoder, we tested it on a 
synthetic randomly-generated system with n — 15 states, m — 10 actuators and p — 10 sensors 8 . 
Figure 4a shows the performance of the decoder as a function of the number of attacked sensors 
and actuators. We see that on this example the i\ decoder correctly recovers the state of the 
system despite the attacks when the number of attacked sensors and actuators is small enough. 

Note that the decoder as given in equation (14) depends on the choice of the parameter A. 
For the simulations of figure 4a we used the value A = 10 which we empirically found to be a 
suitable value for the system we considered. It would be interesting however to see if there is a 
simple and systematic way to directly find the best value of A from the data and the parameters 
of the system. 

We also tested the decoder (14) on the power network example of section III-E2. Recall that 
the IEEE 14-bus network we considered is comprised of 5 generators and 14 buses, and is 
modeled by a linear dynamical system with 2 x 5 = 10 states (rotor angle 5, and frequency 
uji = dSi/dt for each generator i) and 35 sensors. An attack on an actuator here corresponds to 
an attack on the mechanical power input to a generator i and is modeled by an additive input 
Wi affecting the equation governing the frequency Ui of generator i [27]. 

For different values of \L\ (number of attacked generators), and \K\ (number of attacked 
sensors), we ran the £i/£oo decoder of equation (14) and we recorded its success rate 9 over 200 
simulations with different initial conditions and attack sets that were randomly generated like 
in the previous examples of section III-E2. The results of the simulations are shown in figure 
4b. We see that when the number of attacked sensors is small enough, the decoder correctly 
recovers the state of the system. We also remark that, unlike the previous example of figure 4a, 
the performance of the decoder is not really affected by the number of attacked generators. This 

8 The system was generated in the same way as the example of section III-E: the entries of A, B, C are iid standard Gaussian, 
and A was normalized so it has spectral radius 1. 

9 We declare the decoder to be successful after T steps if it correctly recovers the whole sequence of states up to time T — 1 
(i.e., with a delay of d = 1). Indeed, due to the very special structure of the C matrix of the system (the sensors only measure 
the rotor angles and not the frequencies), it is impossible to reconstruct the state perfectly without delay. 



March 4, 2013 



DRAFT 



27 



Randomly generated system 

Performance of the 11 decoder IEEE 1 4-bus power network 




012345 02468 10 

Attacked sensors Attacked sensors 



(a) (b) 

Fig. 4. (Left) Performance of the decoder (14) (with constant A = 10) on a randomly generated system with n = 15 

states, m = 10 actuators and p — 10 sensors. Dark color indicates a high success rate and white color indicates a low success 
rate. We observe that when the number of attacked sensors and actuators is small enough the decoder correctly recovers the 
state of the system. Also we remark that the resilience with respect to attacked sensors decreases as the number of attacked 
actuators increases, and vice-versa. 

(Right) Performance of the di/ioc decoder (14) (with A = 10~ 3 ) on the IEEE 14-bus power network example of section III-E2. 
We observe that when the number of attacked sensors is small enough, the decoder correctly recovers the state of the system, 
independently of the number of attacked generators. This suggests in particular that the system is highly resilient against attacks 
on generators. 



suggests that the system is highly resilient against attacks on the generators since despite these 
attacks the state of the system can still be correctly recovered from the measurements (when the 
number of attacked sensors is small). 

IV. The control problem with output-feedback 
In this section we consider general linear control systems with output feedback of the form: 

=Ax® + BK®{yW,...,y®) 

(15) 

y(*) = CX® + 

One of the main questions that we address in this section is to determine whether for a given 
system (A,B,C), there exists a control law (i.e., a family (i^)t=o,i,...) that drives the state of 
the system (15) to the origin even if some of the sensors are attacked. Observe that the sensor 
attacks can affect the control inputs (since the control inputs are function of the y^'s) which 
can in turn deviate the state from its nominal path. 
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Note that if there were attacks on the actuators then such a stabilizing control law does not 
exist in general, and that is why we focus only on sensor attacks in this section. 

It is clear that if q sensor errors are correctable (in the sense defined in the previous section, 
i.e., that it is possible to recover the state despite any attacks on q sensors), then one can 
stabilize the system in the presence of attacks: indeed, one can simply decode the state (since q 
errors are correctable), and then apply a standard state feedback law of the form u = Kx (for 
example). The main contribution of this section is to show that the converse of this statement is 
essentially true. More specifically, we show in Theorem 1 that if (if^)t=o,i,... is any feedback 
law that stabilizes the system (with a fast enough decay) despite attacks on any q sensors, then 
necessarily q errors are correctable. This theorem shows that one can essentially decouple the 
problem of estimation and of control in the scenario we consider: in other words, there is no 
loss of resilience in searching for an output feedback law that is the composition of a decoder 
with a standard state feedback. 

A. Some properties 

We start by defining the notion of correctability of q errors for systems with output-feedback 
control inputs. We will see in particular that it is independent of the feedback law used. Recall 
that the symbol E q ^ denotes the set of attack sequences of length T on any q sensors: 

% = {(e (0) ,..,e^)Gr) T | 

3K C {1, . . . ,p} , \K\ = q W G {0, . . . ,T - 1}, supp(e (t) ) C 

We also use the notation y(t,x^°\e) to denote the output at time t of the control system (15) 
when the initial state is x^ and for the attack sequence e G E q T . We now give the definition 
of correctability of q errors for systems with output-feedback control inputs: 

Definition 3. Let a control system of the form (15) be given. We say that q errors are correctable 
after T steps if there exists a function D : (IR P ) T — >■ W l such that for any x^ G M 11 and any 
attack sequence e G E q> T, we have D(y(0, x^°\ e), . . . , y(T — l,x^°\e) \ = x^°\ 

It is not hard to see that, since the systems we consider are linear and since the control inputs 
only depend on the measurements, the property of correctability of q errors just defined above 
does not depend on the control law nor on B, and in fact only depends on A and C. Indeed, saying 
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that q errors are not correctable (after T steps) for the controlled system (A, B, C, (i^)t=o,i,...) 
means that there exists x a ^ Xb, and error vectors e a , e b G E q:T such that y(t, x a , e a ) = y(t, x bl e b ) 
for all t = 0, . . . , T - 1. In other words, we have, for all t G {0, . . . , T - 1}: 



CA t x a + C[B,AB,...,A t - 1 B) 



u, 



(t-i) 



(o) 

Ua 



+ e® = CA t x b + C[B,AB,...,A t - L B] 



u 



( f -i) 



u 



(0) 



,(*) 



(16) 



where u { a ] = U {T) (y(0,x a ,e a ), . . . , y(r, x a , e a )) and u [ b r) = U {T) (y(0,x b ,e b ), . . . , y(r, x b , e b )) for 
r = 0, . . . , t — 1. Now observe that the terms on the left-hand side and right-hand side of (16) 
with the control inputs are equal (since y(s, x a , e a ) = y(s, x b , e b ) for all s and thus u 



Hence the equality (16) is equivalent to saying that for all t G {0, 

CA'xa + e^ =CA t x b + e i b t) . 



T — 1}, we have: 



And this exactly means that q errors are not correctable for (A,C). This therefore shows that 
the notion of correctability does not depend on the control law used. 

In other words, one can use the conditions developed earlier for correctability of q errors for 
linear systems with no inputs and apply them to systems with output-feedback control inputs. 
For example we have that q errors are correctable for the control system (15) if, and only if, 
|supp(Cz) U • ■ • U Supp(CA T - 1 2)| > 2q for all z ^ 0. 



B. Main result: separation of estimation and control 

We are now ready to state our result on separation of estimation and control. 

Theorem 1. Let A, B, C be three matrices of appropriate sizes and assume that a control strategy 
given by the (K®)t=o,i,... is such that: for any x^ G W 1 and for any sequence of error vectors 
e G E q> T, the sequence (x^') defined by: 

x W)=Ax® + BK®(yM,...,y®) 

(17) 

y M = Cx® + e« 

satisfies 

\\x®\\ < K «'||x( 0) || 
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where k > and where < a < 1 / s small enough: a < min{|A| | A eigenvalue of A}. Then 
necessarily q errors are correctable after n steps. 

Proof: We proceed by contradiction. Assume that q errors are not correctable after n steps. 
Then this means there exists a nonzero initial state x^O that is indistinguishable from the initial 
state 0. In other words, there exist e a , e& £ E q p such that the outputs of the control system (17) 
in the two different executions: 

1) = x and e® = e£ ; and 

2) = and e® = . 

are equal for all £ = 0, . . . ,n — 1. But by the Cay ley-Hamilton theorem, it is not hard to see 
that the sequences e a and can be extended to t > n so that the outputs of the system (17) are 
equal for all t > 0. Observe now that since the control law K® only depends on the outputs, 
this means that in these two executions, the same sequence of inputs, u®, will be used. 

Furthermore, since we must have in both cases, < ne~ at \\x^ ' ||, this leads, for the case 

where x(°> = 0, that x® = for all t > 0, and so necessarily, Bu^ = a;(* +1 ) — Ax® = for 
all t > 0. Hence for the first case (when x^ = x), the recurrence relation is x^ t+l ^ = Ax®, 
which gives x® = A f x. We now get a contradiction since x® should decay at rate of a, but 
the eigenvalues of A are all strictly larger than a. This completes the proof. ■ 

Remark. Note that the assumption on the decay rate to be fast enough is necessary; otherwise the 
result is not true. Indeed, if for example A is already a stable matrix, one cannot deduce anything 
from the mere existence of a stabilizing control law (since the system is by itself stable!). For 
a concrete example, take A — 0.5 J, B — I, C — I (note that A is stable). We know from the 
characterization of the number of correctable errors that even 1 error is not correctable after any 
number of steps (for example if we take x — (1, 0, ... , 0), then |supp(Ca;)USupp(Cy4s)lJ. . . | = 
1 ^ 2q if q > 0). Now if we consider the trivial output feedback law K® = for all t, the 
resulting system is of course stable despite any number of attacks (the state evolution is simply 
x (t+i) = Q.5x® and does not even depend on the sensor outputs), but as we just saw one cannot 
even construct a decoder to correct even 1 error! 
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V. Conclusion 

In this paper we considered the problems of estimation and control of linear systems when 
some of the sensors or actuators are attacked. For the estimation problem we gave a charac- 
terization of the number of attacks that can be tolerated so that the state of the system can 
still be exactly recovered, and we showed how one can increase the resilience of the system 
by state-feedback while guaranteeing a certain performance. We then showed that there is an 
explicit (though computationally hard) decoder that can correct the maximal number of errors. 
The decoder was then relaxed to obtain a computationally feasible decoding algorithm which 
appears to perform well in the numerical simulations. 

We then considered the problem of designing an output feedback law to stabilize a linear plant 
where at most q sensors are attacked. Our main result was to show that if such a resilient output- 
feedback law exists, then necessarily there also exists a decoder that is resilient against q attacks. 
This shows in particular that there is no loss of resilience in searching for an output-feedback 
law that is the composition of a decoder with a standard state feedback law. 

There are many important open questions, which are unanswered in this work. For example, 
the question of constructing an iterative estimator (where the estimate of the state is updated 
by a simple iterative rule each time a new measurement is received), instead of the one-shot l\ 
estimator in this paper, would be interesting in particular from a computational point of view. 
Another subject of interest is to study the effect of exogenous noise on the performance of the 
estimator presented in this paper. Finally, ideas on how to specialize the techniques proposed 
here to particular applications, by taking into account structural vulnerabilities (in terms of sets 
of sensors and actuators attacked) might be of interest. 
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